Tag Info

The LWE assumption
I think we should start from the LWE assumption.
Let $n$ and $q$ be integers and let $\chi$ be a distribution over $\mathbb{Z}_q$. We often take $\chi$ as a Gaussian with small variance. (We take an error $e$ from this distribution $\chi$ and assume that $|e| \ll q$.)
The LWE assumption states that any efficient adversary cannot ...

Yes. Such proofs are possible for El Gamal.
It involves a zero knowledge proof of equality of a discrete log, together with the homomorphic property of El Gamal encryption.
Recall that given $E(a)$ and $E(b)$, anyone can form $E(a/b)$ using the homomorphic property of El Gamal. Suppose $E(a/b)=(r,s)=(g^k,h^k a/b)$ (where $g$ is the generator and $h$ is ...

Repeatedly encrypting the same message to the same ciphertext is full of practical attacks. Encryption is supposed to leak no information about the content of the message other than its length, and there are very real ways to exploit the information leakage you mention. Some of them have to do with the fact that plaintext domains are not always very large. ...

Well, whether it is a secure tweakable block cipher depends on how resistant (E,D) are to related key attacks; that's not a standard assumption for block ciphers.
For example, this would not be a secure tweakable block cipher with 3DES; because every 8th bit is ignored, the attacker can effectively test the value of the 7 adjacent bits (except for the 7 ...

In your formula, $n$ appears to relate to the key space, not the message space.
The message space does not intervene in the definition of IND-CPA, and that's a good thing because practical message spaces consist in messages which "make sense" in a given context. There are situations where the attacker already guesses quite a lot of the attacked message, and ...

Encryption using a block cypher such as AES by passing plaintext blocks directly to the encryption function is known as Electronic Code Book mode (ECB) and is not CPA secure as (as you say in your question) it is entirely deterministic and two identical plaintext blocks will result in two identical ciphertext blocks.
To prevent this an initialisation ...

The Caesar cipher (aka Shift cipher) has, as you said, a key space of size 26. To achieve perfect secrecy, it thus can have at most 26 plaintexts and ciphertexts. With a message space of one character (and every key only used once), it would fit the definition of perfect secrecy.
For the usual use with messages longer than one character, or multiple ...

First, on the difference between perfect security and semantic security. Both definitions concern confidentiality, so let us first define what confidentiality means.
Note first that an adversary as some a priori knowledge of the message. We can capture that by e.g. having the adversary choose two messages and then flipping a fair coin to decide which one to ...

If an attacker can choose the points $P_i$, than this system is not semantically secure. For example, they may choose $P_2=2P_1$, and the corresponding encryption $Q_2$ would be equal to $2Q_1$.
If the points are chosen at random, this system is semantically secure if decisional Diffie-Hellman assumption holds for the curve. This assumption is presumed to ...

Here is the proof I came up with. Please let me know if you see any problems with it...
Statement to prove: If an encryption scheme is secure in the IND\$-CPA sense, then it is secure in the IND-CPA sense as well. i.e. IND\$-CPA $\Rightarrow$ IND-CPA
The contrapositive is easier to prove: $\neg$IND-CPA $\Rightarrow$ $\neg$IND\$-CPA. This statement is a ...

Not a complete answer, but since you mentioned "unmodified RSA" I feel it's relevant.
Something stronger than vanilla RSA is necessary, even if it isn't semantic security.
Example: What if you have a public key exponent of 3 and the symmetric key being encrypted is 16 bytes long? Using raw RSA, $m^e$ would be about $128 * 3 = 384$ bits long and thus ...

To expand / generalize @poncho's reply, given a block cipher $(E,D)$ with keylength $n$, you can make a new one $(E',D')$ with key length $n+1$, which ignores the last bit of the key and just runs $(E,D)$. If $(E,D)$ is a secure PRP, then so is $(E',D')$. But plugging $(E',D')$ into the OP's construction does not yield a secure tweakable block cipher. To see ...

Well, the obvious way to do this is:
Before the protocol occurs, Alice runs the $Gen$ procedure to create a public and a private key
For her round, Alice sends her public key to Bob
For his round, Bob selects a random symmetric key $\in \{0,1\}^n$, encrypts it with Alice's public key, and sends that encryption to Alice.
Alice decrypts the message that Bob ...

Cryptography is not just about confidentiality of the message, but also confidentiality of information about the message. Given the ciphertext, an attacker should not be able to determine any information about a message without knowing the key.
If you can tell that message A is equal to message B, that's a leak of information. This could be useful when ...

You are in a twist here:
semantic security (equal to IND-CPA) can only be fulfilled by probabilistic encryption schemes.
You need a deterministic encryption scheme for your drop-out tolerance.
As it was pointed out previously, any homomorphic encryption allows you to proof in zero knowledge the equality of two ciphertexts:
known: $c_0 = ...

Why is proof-by-reduction needed?
In general, reduction proofs are a very common thing in computer science. Specifically in cryptography, the reasoning goes something like this:
The general cryptographic community believes that problem $X$ is very difficult to solve. I have designed a new cipher $Y$ and want to convince the community that it would ...

What if it could? What does this definition mean in practice?
Consider $M_0=$ attack and $M_1=$ don't attack. If the adversary can distinguish which message you are sending to your troops, they can optimize their strategy to defeat you.
Another example. Say you are casting a yes ($1$) no ($0$) vote for a proposed piece of legislation. If the adversary ...

The proof for the perfect secrecy property of the one time pad is quite simple.
It makes use of basic probabilities and it says that:
$$Pr[M=m|C=c]=Pr[M=m]$$ for a probability distribution M$\{0,1\}^n$ for the message space and a probability space C for the ciphertext space.
Proof:
$$Pr[C=c]=\sum{Pr[C=c|M=m']\cdot Pr[M=m']}
=\sum{Pr[K=m'\oplus c]}\cdot ...

Not always, it depends on the particular encryption scheme. Strictly speaking, the proofs only say that breaking indistinguishability is equivalent to breaking the hardness assumption they are based on. There are some cryptosystems, like Rabin's, where the security of the key is equivalent to the security of the ciphertexts, i.e. factoring <=> key ...

The initial notion of semantic security from Goldwasser and Micali has been shown to be euqivalent to what we call today indistinguishability under chosen plaintext attacks (IND-CPA). Yes that's only security against a passive adversary and actually the weakest reasonable security notion that we use today.
The authors of the second paper you link seem to ...

For perfect secrecy:
$$number\_ of\_keys >= number\_of\_cipher >= number\_of\_plaintext$$
According to Shannon's perfect secrecy theorem:
let,
$$number\_ of\_keys = number\_of\_cipher = number\_of\_plaintext$$
then we have perfect secrecy if and only if:
each key is used with same probability, and
for each (plain,cipher) pair there is unique ...

That basically means 'an adversary running in a reasonable amount of time can (or cannot) distinguish one message from another once encrypted'. If we didn't care about that, there would be no point in using cryptography altogether. mikeazo gives a few good examples why this is important.
Furthermore here's the definition for the security of an encryption ...

Yes, semantic security (IND-CPA) is important, even for public-key cryptosystems and for hybrid cryptosystems.
Let's focus on hybrid cryptosystems, where a message $m$ is encrypted by picking a random symmetric key $k$, encrypting $m$ under $k$ with a symmetric-key algorithm, and also encrypting $k$ using a public-key algorithm. In this case, it's ...

To be secure against a chosen-plaintext attack, an encryption scheme must be non-deterministic — that is, its output must include a random element, so that e.g. encrypting the same plaintext twice will result in two different ciphertexts.
Indeed, if that was not the case, an attacker could easily win the IND-CPA game just by using the encryption ...

With any convergent encryption algorithm E, it's easy for Alice to prove -- without revealing(*) a, b or the private key -- that a == b.
In order for the data deduplication feature to work, convergent algorithms are specifically designed such that
when Alice encrypts two messages a and b, such that x=E(a), y=E(b),
then x == y whenever a == b.
There's some ...